Best Infosec-Related Long Reads of the Week, 9/17/22

Best Infosec-Related Long Reads of the Week, 9/17/22

The search for dirt on Mudge, Enslaving people to be cyberscammers, Deep dive on China's vulnerability disclosure laws , A Chinese spy's secrets revealed, Modi's geotagging trick on India's citizens

Metacurity is pleased to offer our free and paid subscribers this weekly digest of long-form infosec pieces and related articles that we couldn’t properly fit into our daily crush of news. Let us know what you think, and feel free to let us know of your favorite long-reads via Twitter @Metacurity. We’ll gladly credit you with a hat tip. Happy reading!

two women sitting on green chairs

The Search for Dirt on the Twitter Whistle-Blower

The great Ronan Farrow had this surprisingly timely piece this week, appearing on the same day that Twitter’s former cybersecurity chief Peiter (Mudge) Zatko testified before the Senate Judiciary Committee on the digital security failings of the troubled but vital social media giant. It turns out that at least six research outfits had been rummaging around seeking to pay for dirt from Zatko’s friends and colleagues for any information they could get on the whistleblower, presumably on behalf of financial entities looking to make stock trades amid Elon Musk’s wrangling to get out of his deal to buy Twitter.

Sources close to three of the firms—Farallon, Mosaic, and G.L.G.—suggested that they were simply trying to obtain information about Zatko to guide stock trades involving Twitter and maximize profits. A person familiar with G.L.G.’s business said the outreach was “an attempt to assess the credibility of the allegations” and meant “to better inform investment decisions.” A spokesperson for AlphaSights said that, “as a matter of policy and contractual obligations, we do not disclose the identity of our clients.” Hahn, the Twitter spokesperson, told me, “We have no role in nor did we commission expert networks research regarding Mr. Zatko.” Two members of Musk’s team, who asked not to be named, owing to the sensitivity of the ongoing litigation, said that they also had no connection to the inquiries.

Human Trafficking’s Newest Abuse: Forcing Victims Into Cyberscamming

Cezary Podkul, with Cindy Liu for ProPublica, tell the disturbing story of how tens of thousands of people from across Asia have been forced into cyber scamming people in America and worldwide. In a modern twist of “buying on scrip,” which in the 20th century created indentured servants for coal companies who enticed miners to buy overpriced goods on credit from their company stores, cybercrime gangs dupe people into defrauding victims out of their life savings until they can pay off the money they owe.

Tens of thousands of people from China, Taiwan, Thailand, Vietnam and elsewhere in the region have been similarly tricked. Phony job ads lure them into working in Cambodia, Laos and Myanmar, where Chinese criminal syndicates have set up cyberfraud operations, according to interviews with human rights advocates, law enforcement personnel, rescuers and a dozen victims of this new form of human trafficking. The victims are then coerced into defrauding people all around the world. If they resist, they face beatings, food deprivation or electric shocks. Some jump from balconies to escape. Others accept their lot and become paid participants in cybercrime.

Dragon tails: Preserving international cybersecurity research

Stewart Scott, Sara Ann Brackett, Yumi Gambrill, Emmeline Nettles, and Trey Herr produce this DFR Lab report that “analyzes a series of Chinese regulatory changes altering vulnerability disclosure practices to assess their impact on the supply of research from China’s significantly productive community.” Their study found that while Chinese national regulations affect the supply of vulnerability research under some circumstances, the effect is not as significant, consistent, or discernible as might first be expected. The authors conclude that it’s wise to focus on strengthening the health of the global vulnerability-research community.

For at least a decade, Chinese corporate research teams and individual researchers have dominated marquee hacking competitions and corporate bounty programs, scouring everything from browsers and mobile operating systems to networking gear. Their dominance in hacking competitions halted abruptly in 2018, when China blocked its researchers from participating in such events abroad. Soon after, the Regulations on the Management of Network Product Security Vulnerabilities, or RMSV for short, took effect in September 2021. The law requires Chinese network product providers to notify the country’s Ministry of Industry and Information Technology (MIIT) about vulnerabilities found in “network products” within a few days of reporting them to the appropriate vendor. As 2021 wound to a close, the legal environment for Chinese vulnerability research appeared fraught with the potential for a chilling effect caused by the ambiguities and requirements within the RMSV.

A Chinese Spy Wanted GE’s Secrets, But the US Got China’s Instead

Jordan Robertson and Drake Bennett of Bloomberg offer this in-depth look at how China’s Ministry of State Security (MSS) runs an intelligence-gathering apparatus targeting ordinary U.S. scientists and engineers. A trial of MSS officer Xu Yanjun in Ohio yielded “an extraordinary trove of digital correspondence, official Chinese intelligence documents, even a personal journal,” providing insight into Chinese intelligence officers are trained and operate.

Over two and a half weeks from late last October into November, federal prosecutors in a courtroom in Cincinnati drew on the wealth of digital material the 41-year-old Xu had stockpiled to lay out a portrait of him—his training, methods, and ambitions, his vices and private doubts and grievances. Translated from the original Mandarin, it’s an unprecedentedly intimate portrait of how China’s economic espionage machine works, and what life is like for its cogs.

Would you geotag your home for your government? 50 million Indians did

Srishti Jaswal has this piece in Rest of World about Indian Prime Minister Narendra Modi’s Har Ghar Tiranga (“tricolor on every house”) program that asked Indian citizens to hoist the tricolor flag at their homes, click a photo with it, and upload the images, with a geotag, to a privately hosted website under the banner of the Ministry of Culture, as part of the Independence Day celebrations. By August 15, India’s Independence Day, nearly 60 million Indian citizens complied, handing the hard-right government an unparalleled tool for creating demographic and psychological profiles that can be used for propaganda and other forms of manipulation.

The photographs, many of which were uploaded along with location information, are still publicly available on the website. While the location information is not publicly available, it is retained by the website, which could lead to theft, hacking, and stalking. When siloed information, such as phone numbers, photographs, and location, is processed with other data sets, such as constituency population and voter preferences, it can make citizens vulnerable to “geo-propaganda,” Kodali said.

“Such minute details of individuals can be used to microtarget them in a way that we cannot even anticipate its impact. For instance, such data can be used to target entire neighborhoods of Muslims or people from opposition political beliefs,” he added.

Read more